Hmm, I didn’t noticed this bug when I opened #7082. Please do not use this patch, as it opens a race condition where an unprivileged attacker may briefly have access to a sensitive ticket. Please use the patch in #7082 instead.

Hm. But does not your patch prevent users without SENSITIVE_VIEW permission to open a ticket?

No, I just tested; users without SENSITIVE_VIEW permission are able to open a ticket just fine.

Now, if they open a _sensitive_ ticket, then they do not have permission to view the ticket they just opened, and they are mysteriously redirected back to the new ticket form with no indication that the ticket was successfully opened (even though it was). But that behavior is the same with your patch, my patch, or no patch. I’ll open a separate bug for that.

Also, since neither patch has been applied yet, I’m going to reopen this bug and resolve it as “duplicate”.

Add Comment

This ticket has been modified since you started editing. You should review the
other modifications which have been appended above,
and any conflicts shown in the preview below.
You can nevertheless proceed and submit your changes if you wish so.